© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Justin Bradley, Specialist SA Desktop and AppStreaming28 June 2017

Using Microsoft Active Directory Across On-Premises and AWS Cloud

Windows Workloads

What to Expect from the session

Running Windows applications and workloads in the AWS Cloud

• Why Windows workloads in AWS need Active Directory (AD)• AD options for cloud workloads

AWS Directory Service for Microsoft Active Directory (Enterprise Edition) – “Microsoft AD”Other AWS Directory Service solutions

Why Windows workloads in AWS need AD

Enables users to use single sign-on (SSO) on desktops and corporate applicationsProvides central application/resource access management using groupsEnables central policy management of computers via group policy

AD options for cloud workloads

Domain join EC2 instances to on-premises Active Directory environmentRun/manage an Active Directory instance on EC2AWS Directory Service

• AWS Microsoft AD, managed Active Directory service

AWS Managed Service VPC

AWS MicrosoftAD DC

AD

VPC

EC2 Windows Server DC

AD

On-premises

Windows Server DC

AD

Application

Availability Zone

10.0.2.0/24

SQLServer

AppServer

IISServer

Availability Zone

Private Subnet

10.0.3.0/24

SQLServer

AppServer

IISServer

Remote Users / Admins

Example: Domain join EC2 to on-premises AD

Domain Controllers

DC

corporate data center

VPN Connection

DBAPPWEB

DBAPPWEB

Auth/LDAP

Auth/LDAP

Private Subnet

Private Subnet

10.0.2.0/24

DBAPPWEB

SQLServer

AppServer

IISServer

Private Subnet

10.0.3.0/24

DBAPPWEB

SQLServer

AppServer

IISServer

Remote Users / Admins

Domain Controllers

DC

corporate data center

VPN Connection

Example: AD on EC2 with replication or AD trust

DC

Domain Controller

DC

Domain Controller

Trust or Replication

Auth/LDAP

Auth/LDAP

Auth/LDAP

Application

Availability Zone

Availability Zone

Auth/LDAP

Auth/LDAP

DBRDSSQL Server

Availability Zone

Private Subnet

10.0.2.0/24

APPWEB

AppServer

IISServer

Private Subnet

10.0.3.0/24

APPWEB

AppServer

IISServer

Remote Users / Admins

Domain Controllers

DC

corporate data center

VPN Connection

Example: AWS Microsoft AD with AD trust to on-premises

DBRDSSQL Server

AWS Managed Services

AWS Managed Services

DCDomain Controller

DCDomain Controller

Trust

Application

Availability Zone

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.0.0/24 10.0.2.0/24

APPWEB

AppServer

IISServer

RDGW

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.1.0/24 10.0.3.0/24

APPWEB

AppServer

IISServer

RDGW

DC

DB

MicrosoftAD DC

RDSSQL

Server

DC

AWS Managed Services

MicrosoftAD DC

DBRDSSQL

Server

AWS Managed Services

Example: AWS Microsoft AD with everything in the cloud

VDI

WorkSpaces

VDI

WorkSpaces

Active Directory options for cloud workloads

AWS Microsoft AD EC2 AD Instance On-Premises AD

OperationManagement

AWS managedin the cloud

Customer managedin the cloud

Customer managedown hardware

Availability Built-in redundancy and replication

Customer must design for high availability

Customer must design for high availability

NetworkingTrust1 ports from cloud

to on-premises(least exposed)

Trust1 or replication2

ports from cloud toon-premises AD

Ports to support cloud to on-premises AD3 (most

exposed)

Admin Control Designated OU control; some apps unsupported Full control Full control

1 If trust to on-premises is used, open ports from DCs to on-premises DCs are needed2 AD replication requires more open ports than forest trusts, but limited to DC to DC communications3 Ports for domain joining, AD interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access

Selecting an Active Directory option

AWS Microsoft AD EC2 AD Instances On-Premises AD• Minimize cost, effort to run AD• Amazon RDS SQL Server• AWS Enterprise Applications1

• Windows workloads on Amazon EC22

• Require a replicated, multi-region AD solution

• Need NetBIOS name resolution support

• You require permissions not yet delegated by AWS Microsoft AD• E.g., Exchange, Sharepoint,

SQL Server AlwaysOnAvailability Groups

• Minimal EC2 instances require access to AD

• Latency to AD over on-premises link is acceptable

• Security policies allow AD ports to be exposed to internet

• Comfortable architecting highly available connectivity to on-premises AD

1If users are on premises via trust, application requires update; otherwise AD Connector will be needed2Subject to delegation constraints

AD Connector

• AD proxy for Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail

• Authentication and LDAP forwarded to on-premises AD• Applications can look up on-premises users and groups• Users authenticate using existing corporate credentials

• Supports EC2 seamless domain join• EC2 discovers domain name from AD Connector• EC2 by-passes AD Connector for everything else

• Customers who intend to run Windows applications and workloads in AWS should use Microsoft AD

Proxy solution to use on-premises AD accounts with AWS Enterprise Applications

AWS Microsoft AD

AWS Directory Service: Microsoft AD

• Microsoft Server 2012 R2 Enterprise Edition running Active Directory• Multiple Availability Zone deployment – Highly available directory• AWS monitoring, software updates, and daily snapshots – Eliminates operational overhead

• Customer-administered users/groups/computers and policy control• Create users, groups, and policies with Windows native AD tools – Familiar tools for

administration• Kerberos-based single sign-on – Same end-user experience as on-premises• EC2 seamless domain-join – Policy managed EC2 instances

• Enables use of AWS applications and services• RDS SQL Server, WorkSpaces, WorkDocs, WorkMail – More ways to benefit from AWS

services

• Easy to set up trust relationships • SSO with on-premises user accounts – End users can keep current identities• Share on-premises resources with EC2 – Keep existing group policy infrastructure

Microsoft AD resource domain via trusts

Establish one-way trust from AWS Microsoft AD to existing corporate domainDomain users access resource domain in AWS without having to re-authenticateIf EC2 instances require access to on-premises devices (e.g., printers), a two-way trust is required

AD AD

On-premises Network

VPC

Trust

AWS MicrosoftAD DC

WindowsAD DC

Resource Forest – One-way transitive trust

Corporate Network

VPN / Direct Connect

DC2AWS Microsoft AD

company.aws company.local

Customer AD DS

Users

One-way transitive trust

Direction of Access

Compute resources

Corporate Identity

WorkSpaces 1RDS:MS SQL

EC2

1 If using Amazon WorkSpaces, the Trust must be a two-way transitive trust

Setting up AWS Directory Service

1) Select Directory Servicein the AWS Console

3) Select Create Microsoft ADfor the directory type

2) Select Set up directoryfrom the menu

4) Configure the Directoryand VPC details

User, group, policy management via Microsoft tools on domain-joined computers

AWS Microsoft AD known limitations

Roadmap items• LDAPS• Application enablement• Support for more than 50,000 users

Applications not yet supported• Those requiring

• Elevated permissions to install or run• Container access• Managed service account creation• Running code on the domain controller, or registry changes

• Examples: Microsoft Exchange, SharePoint, AD Federation Services

AWS Microsoft AD - Summary

AWS managed domain controllers in different Availability ZonesAutomatic patching, replication, and daily snapshotsEasy setup and administration via the AWS console and existing toolsDelegated administrative rights to dedicated OU

• Create, read, update, and delete users and groups• Domain-joined machines added to DNS, assigned static IP addresses within

VPC• Apply group policies

750 hour free trial for new AWS Directory Service customers

AD On EC2 Windows

Active Directory architectureManaging your own Active Directory

IP addressing and DNS

Availability strategy

Global catalog servers

Sites & services

Domain-joining instances

Supporting AWS enterprise apps

Active Directory instance on EC2

Customer-managed Active Directory server running on EC2• Customer responsible for patching, monitoring, snapshots, and high availability• Connectivity via VPN or AWS Direct Connect• Security groups must allow traffic to and from on-premises data center• AD sites and subnets must be properly defined• Site-link costs must be configured• Enable domain members for "Try Next Closest Site“ group policy setting

Supports use cases and applications that require schema extension• Microsoft SQL Server• Microsoft SharePoint• Microsoft Exchange• Microsoft Lync/Skype for Business

Use when AWS Microsoft AD does not support use case

Microsoft workloads in Amazon VPC

Availability Zone

Private Subnet

DC3

Corporate Network

London

DC1

VPN

AD forest spanning AWS and corporate data center

Paris

DC2

Availability Zone

Private Subnet

DC3

Corporate Network

London

DC1

VPN

AD forest spanning AWS and corporate data center

Paris

DC2

XDC1 goes down, where do clients in London go for Directory Services?

AD forest spanning AWS and corporate data center

Properly implemented site topology and “Try Next Closest Site” policy enabled. Clients use least cost path to DC.

Availability Zone B

Private subnet

DC4

Corporate Network

London

DC1

VPN / Direct Connect

Paris

DC2

Cost 50

Availability Zone A

Private subnet

DC3Cost 10

company.localcompany.local

Availability Zone

Private Subnet

10.0.2.0/24

APPWEB

AppServer

IISServer

Availability Zone

Private Subnet

10.0.3.0/24

APPWEB

AppServer

IISServer

Remote Users / Admins

Domain Controllers

DC

corporate data center

VPN Connection

Adding Microsoft AD for AWS apps and services

DC

Domain Controller

DC

Domain Controller

Trust or Replication

Auth/LDAP

Auth/LDAP

Auth/LDAP

Application

DC

DB

RDS SQL

Server

MicrosoftAD DC

AWS Managed Services

VDI

WorkSpaces

DC

DB RDSSQL

Server

AWS Managed Services

VDI

WorkSpaces MicrosoftAD DC

Trust

Trust

ReferencesDocumentation

• AWS Directory Service – aws.amazon.com/directoryservice• Microsoft AD - aws.amazon.com/documentation/directory-service/• Amazon RDS SQL Server - aws.amazon.com/documentation/rds/• AWS Tools for PowerShell - https://aws.amazon.com/powershell/

Quick Starts - aws.amazon.com/quickstart/• Active Directory DS (Microsoft AD)• Exchange Server 2013 • SharePoint 2016 Enterprise• Lync Server 2013• SQL Server 2014 AlwaysOn• PowerShell DSC

Related Sessions

WIN201 - Simplifying Microsoft Architectures with AWS services (WIN201)WIN301 - Bring Microsoft Applications to AWS to Stay License CompliantWIN403 – Migrate Applications to AWS Quickly, Multisite Replication and SQL HAARC409 – Deploying Your First 100K Windows UsersDEV303 - Deploying and Managing .NET Pipelines and Microsoft Workloads

Re:Invent 2016 - Microsoft

Justin Bradley, Specialist SA Desktop and AppStreaming